Computer security systems utilize signatures of known malicious code or activities to identify specific attacks. Commercial security system vendors maintain large collections of such signatures which are created over time based on security research and the monitoring of malicious activity across a wide base of organizations and endpoints. The triggering of an individual signature points to an individual security problem, such as java script trying to communicate with a known malicious host, a given fake antivirus advertisement, a reconnaissance of browser plugins, a suspicious port scan, a Flash presence, a network service deficiency, an operating system exploit, etc. When triggered, a signature generates a specific alert concerning the corresponding security issue.
However, contemporary complex attacks consist of multiple malicious activities, which get partly detected as individual security problems, but preclude analysts from understanding the attacks as a whole, i.e., as well orchestrated activities aimed at progressively diminishing security of targeted systems. These complex attacks can use multiple steps to probe, infect and maintain a presence on systems. Such complex multipart attacks are not described by single signatures. A single alert provides no information concerning what previous malicious events are likely to have occurred, or what attempted malicious activity is likely to follow.
Different complex multipart attacks can also behave very differently from one another, which creates additional detection challenges. For example, one complex attack could be in the form of an exploit of a vulnerability that was newly discovered by a malicious party, and as yet remains unknown to security vendors. For this reason, the attack could be carried out directly through a few highly targeted actions, without a need to obfuscate the attack strategy too much. The only alerts generated by this complex attack could be largely immutable sequences of generic or side-effect alerts, corresponding to actions such as hosts communicating with suspicious infrastructures, a large number of broken connections, sudden increased CPU usage, etc. Although these events are all part of a multipart attack, they would not conventionally register as being related.
On the other hand, another complex attack could act completely differently and raise many alerts, for example while trying different exploits available in a known exploit kit. A complex attack of this type would typically attempt to mask its activities, for example by employing stealthy probing (e.g., via fake ads), by reshuffling the sequences of its multiple activities, by throwing “bait” alerts, etc. This creates noise and triggers multiple inconclusive alerts.
Whereas both above-described attacks are complex and multipart, identifying and characterizing direct multipart attack strategies is a very different task from identifying and characterizing noisy activities associated with particular exploit stages of a stealthy multipart attack.
It would be desirable to address these issues.